SELinux: return error codes on policy load failure

policy load failure always return EINVAL even if the failure was for some other reason (usually ENOMEM). This patch passes error codes back up the stack where they will make their way to userspace. This might help in debugging future problems with policy load. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
author: Eric Paris <eparis@redhat.com> 2010-04-20 10:29:42 -0400
committer: James Morris <jmorris@namei.org> 2010-04-20 18:58:49 -0400
commit: a200005038955057063fc8ea82129ebc785df41c (patch)
tree: 712fdedac2d15290cdbe7b8adc02cce844fde9f0 /security
parent: 6f262d8e1acb7b1605b811700326163fa707d355 (diff)
1 files changed, 22 insertions, 15 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 0b44f5a2b7b0..1de60ce90d9a 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1760,22 +1760,28 @@ int security_load_policy(void *data, size_t len)
        if (!ss_initialized) {
                avtab_cache_init();
-                if (policydb_read(&policydb, fp)) {
+                rc = policydb_read(&policydb, fp);
+                if (rc) {
                        avtab_cache_destroy();
-                        return -EINVAL;
+                        return rc;
                }
-                if (selinux_set_mapping(&policydb, secclass_map,
-                                        &current_mapping,
+                rc = selinux_set_mapping(&policydb, secclass_map,
-                                        &current_mapping_size)) {
+                                         &current_mapping,
+                                         &current_mapping_size);
+                if (rc) {
                        policydb_destroy(&policydb);
                        avtab_cache_destroy();
-                        return -EINVAL;
+                        return rc;
                }
-                if (policydb_load_isids(&policydb, &sidtab)) {
+                rc = policydb_load_isids(&policydb, &sidtab);
+                if (rc) {
                        policydb_destroy(&policydb);
                        avtab_cache_destroy();
-                        return -EINVAL;
+                        return rc;
                }
                security_load_policycaps();
                ss_initialized = 1;
                seqno = ++latest_granting;
@@ -1791,8 +1797,9 @@ int security_load_policy(void *data, size_t len)
        sidtab_hash_eval(&sidtab, "sids");
 #endif
-        if (policydb_read(&newpolicydb, fp))
+        rc = policydb_read(&newpolicydb, fp);
-                return -EINVAL;
+        if (rc)
+                return rc;
        /* If switching between different policy types, log MLS status */
        if (policydb.mls_enabled && !newpolicydb.mls_enabled)
@@ -1807,8 +1814,8 @@ int security_load_policy(void *data, size_t len)
                return rc;
        }
-        if (selinux_set_mapping(&newpolicydb, secclass_map,
+        rc = selinux_set_mapping(&newpolicydb, secclass_map, &map, &map_size);
-                                &map, &map_size))
+        if (rc)
                goto err;
        rc = security_preserve_bools(&newpolicydb);
@@ -1819,10 +1826,10 @@ int security_load_policy(void *data, size_t len)
        /* Clone the SID table. */
        sidtab_shutdown(&sidtab);
-        if (sidtab_map(&sidtab, clone_sid, &newsidtab)) {
-                rc = -ENOMEM;
+        rc = sidtab_map(&sidtab, clone_sid, &newsidtab);
+        if (rc)
                goto err;
-        }
        /*
         * Convert the internal representations of contexts
author	Eric Paris <eparis@redhat.com>	2010-04-20 10:29:42 -0400
committer	James Morris <jmorris@namei.org>	2010-04-20 18:58:49 -0400
commit	a200005038955057063fc8ea82129ebc785df41c (patch)
tree	712fdedac2d15290cdbe7b8adc02cce844fde9f0 /security
parent	6f262d8e1acb7b1605b811700326163fa707d355 (diff)

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 0b44f5a2b7b0..1de60ce90d9a 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c
@@ -1760,22 +1760,28 @@ int security_load_policy(void *data, size_t len)
1760		1760
1761	if (!ss_initialized) {	1761	if (!ss_initialized) {
1762	avtab_cache_init();	1762	avtab_cache_init();
1763	if (policydb_read(&policydb, fp)) {	1763	rc = policydb_read(&policydb, fp);
		1764	if (rc) {
1764	avtab_cache_destroy();	1765	avtab_cache_destroy();
1765	return -EINVAL;	1766	return rc;
1766	}	1767	}
1767	if (selinux_set_mapping(&policydb, secclass_map,	1768
1768	&current_mapping,	1769	rc = selinux_set_mapping(&policydb, secclass_map,
1769	&current_mapping_size)) {	1770	&current_mapping,
		1771	&current_mapping_size);
		1772	if (rc) {
1770	policydb_destroy(&policydb);	1773	policydb_destroy(&policydb);
1771	avtab_cache_destroy();	1774	avtab_cache_destroy();
1772	return -EINVAL;	1775	return rc;
1773	}	1776	}
1774	if (policydb_load_isids(&policydb, &sidtab)) {	1777
		1778	rc = policydb_load_isids(&policydb, &sidtab);
		1779	if (rc) {
1775	policydb_destroy(&policydb);	1780	policydb_destroy(&policydb);
1776	avtab_cache_destroy();	1781	avtab_cache_destroy();
1777	return -EINVAL;	1782	return rc;
1778	}	1783	}
		1784
1779	security_load_policycaps();	1785	security_load_policycaps();
1780	ss_initialized = 1;	1786	ss_initialized = 1;
1781	seqno = ++latest_granting;	1787	seqno = ++latest_granting;
@@ -1791,8 +1797,9 @@ int security_load_policy(void *data, size_t len)
1791	sidtab_hash_eval(&sidtab, "sids");	1797	sidtab_hash_eval(&sidtab, "sids");
1792	#endif	1798	#endif
1793		1799
1794	if (policydb_read(&newpolicydb, fp))	1800	rc = policydb_read(&newpolicydb, fp);
1795	return -EINVAL;	1801	if (rc)
		1802	return rc;
1796		1803
1797	/* If switching between different policy types, log MLS status */	1804	/* If switching between different policy types, log MLS status */
1798	if (policydb.mls_enabled && !newpolicydb.mls_enabled)	1805	if (policydb.mls_enabled && !newpolicydb.mls_enabled)
@@ -1807,8 +1814,8 @@ int security_load_policy(void *data, size_t len)
1807	return rc;	1814	return rc;
1808	}	1815	}
1809		1816
1810	if (selinux_set_mapping(&newpolicydb, secclass_map,	1817	rc = selinux_set_mapping(&newpolicydb, secclass_map, &map, &map_size);
1811	&map, &map_size))	1818	if (rc)
1812	goto err;	1819	goto err;
1813		1820
1814	rc = security_preserve_bools(&newpolicydb);	1821	rc = security_preserve_bools(&newpolicydb);
@@ -1819,10 +1826,10 @@ int security_load_policy(void *data, size_t len)
1819		1826
1820	/* Clone the SID table. */	1827	/* Clone the SID table. */
1821	sidtab_shutdown(&sidtab);	1828	sidtab_shutdown(&sidtab);
1822	if (sidtab_map(&sidtab, clone_sid, &newsidtab)) {	1829
1823	rc = -ENOMEM;	1830	rc = sidtab_map(&sidtab, clone_sid, &newsidtab);
		1831	if (rc)
1824	goto err;	1832	goto err;
1825	}
1826		1833
1827	/*	1834	/*
1828	* Convert the internal representations of contexts	1835	* Convert the internal representations of contexts